-----BEGIN PGP SIGNED MESSAGE----- this tool is for the purpose of professional security people testing their own private/corporate networks. under no circumstances is the blackshell team repsonsible for any misuse of this. #!/usr/bin/perl -w #--blackshell tool1--# #--blackshell-sshd.pl--# # this is a mass scanner for remote security testing # of networks for the ssh crc32(deattack) bug. # this is being exploited in the wild at the present time # and it leads to complete remote compromisation # of a vulnerable server # vulnerable OS'es include aix, irix, linux, solaris, hpux, unicos(yes) # a few thanks: dave dittrich, bindview, team-teso, #!blackshell contributors use Thread; use Strict; use Socket; use Getopt::Std; use Config; my $banner = qq( Mass SSHD Vulnerability Scanner by BlackShell blackshellat_private ); $exploit_information = qq( Advisories: http://www.securityfocus.com/advisories/3088 http://xforce.iss.net/alerts/advise100.php http://razor.bindview.com/publish/advisories/adv_ssh1crc.html http://www.securityfocus.com/bugid=2347 http://www.ssh.com/products/ssh/advisories/ssh1_crc-32.cfm http://openssh.org/security.html http://www.cisco.com/warp/public/707/SSH-multiple-pub.html Information: http://www.securityfocus.com/cgi-bin/archive.pl?id=75&start=2001-10-27&end=2001-11-02&mid=221998&threads=1 http://staff.washington.edu/dittrich/misc/ssh-analysis.txt http://www.newsbytes.com/news/01/171291.html http://www.cert.org/incident_notes/IN-2001-12.html Incidents: http://archives.neohapsis.com/archives/incidents/2001-12/0009.html http://archives.neohapsis.com/archives/incidents/2001-12/0047.html http://archives.neohapsis.com/archives/incidents/2001-12/0102.html http://archives.neohapsis.com/archives/incidents/2001-12/0103.html http://archives.neohapsis.com/archives/incidents/2001-12/0189.html http://archives.neohapsis.com/archives/incidents/2001-12/0225.html http://archives.neohapsis.com/archives/incidents/2001-12/0240.html ); # borrowed from dave's code(thanks :>) my @affected = ( 'SSH-1.5-1.2.24', 'SSH-1.5-1.2.25', 'SSH-1.5-1.2.26', 'SSH-1.5-1.2.27', 'SSH-1.5-1.2.28', 'SSH-1.5-1.2.29', 'SSH-1.5-1.2.30', 'SSH-1.5-1.2.31', 'SSH-1.5-OpenSSH-1.2', 'SSH-1.5-OpenSSH-1.2.1', 'SSH-1.5-OpenSSH-1.2.2', 'SSH-1.5-OpenSSH-1.2.3', 'SSH-1.99-OpenSSH-2.1', 'SSH-1.99-OpenSSH_2.1.1', 'SSH-1.99-OpenSSH_2.2.0', 'SSH-1.99-OpenSSH_2.2.0p1', ); if(! $Config{'usethreads'}) { print "\nNo Threading Supported"; exit 1; } getopts("d:t:l:i:",%args); my $debug; if($args{i}) { my $infile = $args{i} || sshd.in; print "\nUsing infile: $infile"; } elsif($args{d}) { $debug = 1; print "\nUsing Debuging!"; } elsif($args{t}) { my $timeout = $args{t} || 5; print "\nUsing Timeout: $args{t}!"; } elsif($args{l}) { my $logfile = $args{l}; print "\nUsing logfile: $logfile"; } open(FILE,"<$infile") || die "\nCant read from $logfile"; while(<>) { chomp($host = $_); print "\nScanning $host..."; my $thread = Thread->new(\&check_scan,$host); print "\nScanning $host..."; my @return = $thread->join; } if($debug) { my $check; foreach $check (@return) { print "\nDebugging running...."; print "\n$debug info...:"; print "\n$check"; } }else{ print "\n\n$banner\n"; print "\n\nOptions: "; print "\n./$0 -i <INFILE> -l <LOGFILE> -d -t 15"; print "\n print "\ndefaults: "; print "\ntimeout: 5"; print "\nhost list: sshd.in"; print "\nlogfile: sshd.log"; print "\ndebug: no"; } } } sub check_scan ($) { eval { my $host = shift; my $iaddr = inet_aton($host); my $port = "22"; my $paddr = sockaddr_in($port, $host); my $proto = getprotobyname('tcp'); socket(SOCK,AF_INET,SOCK_STREAM,$proto) || die "\nCant make Socket: $!"; alarm($args{t}); if(connect(SOCK,$paddr)) { print "\nSSHD is open on $host"; print "\n${host}'s response..."; } while(<SOCK>) { chomp; print; $response = $_; &log($host, $response); print "\analyzing ${host}'s response..."; &analyze($host, $response); } } close(SOCK); } sub log ($$) { open(LOG,">$logfile") || die "\nCant open $logfile for writing"; select(LOG); print "\n$banner\n"; print "\n$exploit_information" close(LOG); $host = shift; $rez = shift; open(LOG,">>$logfile") || die "\nCant open $logfile"; flock(LOG,2) || die "\nCant file lock"; select(LOG); print "\nResults:"; print "\n${host}: $rez"; print "\n\nFinished...\n"; close(LOG); } sun analyze ($$) { $host = shift; $result = shift; foreach $checkz (@affected)) { if($result = $checkz) { print "\n$host is running a vulnerable version of SSHD"; print "\nversion is: $result"; } } } -----BEGIN PGP SIGNATURE----- Version: Hush 2.1 Note: This signature can be verified at https://www.hushtools.com wl8EARECAB8FAjwxR+IYHGJsYWNrc2hlbGxAaHVzaG1haWwuY29tAAoJED2VGGGCU8ut G+kAoIRsS/BUmFjmlsdgNHSKWW2elojfAJ9ItUcz9Ao1dpbbkzuf184f1RJnNg== =Z/EV -----END PGP SIGNATURE----- ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Jan 01 2002 - 15:12:08 PST